Howto: Enable Windows Debug logging to solve authentication problems

I’ve had some authentication problems of late on one of my Windows 2000/2003 networks, so I decided to enable Net Logon debugging to help trace the source of the problem. KB 109626 details how to enable debug logging for Windows NT 3.51+, but if you’re running Windows 2000 or higher just exit to a command prompt and run the following command:

nltest /dbflag:2080FFFF

This will log Net Logon events to %windir%\debug\netlogon.log

Next, use Brad Rutkowski’s method of parsing the netlogon.log file for critical events using the tail.exe utility from the Windows 2003 Resource Kit.

tail.exe -f \\server\admin$\Debug\Netlogon.log |findstr /i Critical >critical.log

This will parse the netlogon.log file for all instances of “critical” and dump it to the critical.log file.

Here’s an example of actual errors shown in my log:

09/18 12:51:50 [CRITICAL] DOM: NlGetIncomingPassword: Can’t NlSamOpenNamedUser for ELEMLAB03$ 0xc0000064.

9/18 12:51:50 [CRITICAL] DOM: NetrServerAuthenticate: Can’t NlGetIncomingPassword for ELEMLAB03$ 0xc0000064.

Finally I used err.exe to look up the 0xc0000064 errors shown above:

C:\Program Files\Windows Resource Kits\Tools\Err>err 0xc0000064
# for hex 0xc0000064 / decimal -1073741724 :
# The specified user does not exist.
# 1 matches found for “0xc0000064”

Err.exe reports that the cause of the 0xc0000064 error is the user does not exist. Actually, a better description may be “object does not exist” since ELEMLAB03 is a computer, not user. I fired up Active Directory Users and Computers and searched for ELEMLAB03, and the object does not exist, which probably explains the reason users are experiencing authentication issues when trying to access the domain from that particular machine!

Once you’re finished debugging, run the following command to disable debug logging:

nltest /dbflag:0x0

One Response to “Howto: Enable Windows Debug logging to solve authentication problems”

  1. Debug Windows authentication issues — Says:

    […] about me, Ben Hamilton. Thanks for visiting!Julie, the back room tech, just wrote an article on how to enable debug logging to better solve authentication problems on MS Windows 2000, 2003. No doubt this will also help with tracking down a multitude of other […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: